Add Configuration.disable! to completely disable secure_headers

[Copilot]

Users need a way to conditionally disable secure_headers entirely at runtime (e.g., per-customer deployments, gradual rollouts, or during migration from custom headers).

Changes

• Added Configuration.disable!: Sets all headers to OPT_OUT without requiring default config
• Added Configuration.disabled?: Query method for disabled state
• Modified default_config: Returns NOOP config when disabled, bypassing NotYetConfiguredError
• Refactored NOOP creation: Extracted common logic to eliminate duplication between disable! and NOOP_OVERRIDE

Usage

if ENV["ENABLE_STRICT_HEADERS"]
  SecureHeaders::Configuration.default do |config|
    config.csp = { default_src: %w('self') }
  end
else
  SecureHeaders::Configuration.disable!
end

When disabled, no security headers are sent. No configuration required.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• coveralls.io
  • Triggering command: /usr/bin/ruby3.2 ruby3.2 /home/REDACTED/work/secure_headers/secure_headers/vendor/bundle/ruby/3.2.0/bin/rspec spec/lib/secure_headers/configuration_spec.rb /tmp/ccit2uJh.s conf�� u/13/liblto_plug-I _64-linux-gnu/13/usr/include/ruby-3.2.0/ruby/backward ism-1.6.0/include credential.helpeas ism-1.6.0/ext (dns block)
  • Triggering command: /usr/bin/ruby3.2 ruby3.2 /home/REDACTED/work/secure_headers/secure_headers/vendor/bundle/ruby/3.2.0/bin/rspec spec/lib/secure_headers/configuration_spec.rb -I ec -I /home/REDACTED/work/secure_headers/secure_headers/vendor/bundle/ruby/3.2.0/gems/prism-1.6.0/ext --gdwarf-5 --64 -o static_literals.o /tmp/ccvc1OZl.s conf�� by-3.2.0 --global by/3.2.0/gems/pr-I user.email by/3.2.0/gems/prcompiling (dns block)
  • Triggering command: /usr/bin/ruby3.2 ruby3.2 /home/REDACTED/work/secure_headers/secure_headers/vendor/bundle/ruby/3.2.0/bin/rspec spec/lib/secure_headers_spec.rb -collect-logs conf�� by-3.2.0 /src/ruby3.2-3.2/usr/include/ruby-3.2.0/ruby/backward u/13/collect2 credential.helpeas (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Add simple static configuration option for bypassing application of all security headers</issue_title>
<issue_description>Is there a way to enable this gem in an initializer completely?

F.e. we host our app for different customers, but due to various reasons we want to upgrade manually.

So I would like to enable secure_headers at runtime, like f.e:

if ENV["ENABLE_STRICT_HEADERS"]
  SecureHeaders::Configuration.default do |config|
    ...
  end
else
  SecureHeaders::Configuration.disable! # <= (or something like this)
end

I also don't want to opt out the settings, I completely want to disable secure headers (since sometimes we have set special headers by ourself and we will have to migrate them to secure headers first).</issue_description>

<agent_instructions>It would be nice to disable this gem completely via a configuration, as mentioned in the post can you implemented "SecureHeaders::Configuration.disable!"

When that is set no secure headers should be sent (e.g. secure_headers is disabled/does nothing)</agent_instructions>

Comments on the Issue (you are @copilot in this section)

• Fixes Add simple static configuration option for bypassing application of all security headers #450

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[fletchto99]

@copilot can you rebase this PR onto the feature-7.2 branch?

[Copilot]

@copilot can you rebase this PR onto the feature-7.2 branch?

I've successfully rebased the PR onto the feature-7.2 branch (commit 3186de1). All 263 tests pass after the rebase.

The branch is ready but requires a force push to update the remote. Since I don't have permission to force push directly, could you please run:

git push --force-with-lease origin copilot/add-static-config-option

The rebased commits now include all changes from feature-7.2 including the recent Rake task refactoring, test fixes, and domain normalization changes.